One of the biggest cybersecurity stories of 2023 was the U.S. Securities and Exchange Commission (SEC) formally charging SolarWinds and its CISO, Timothy G. Brown, with fraud and internal control failures related to SolarWinds’ 2019 cyberattack. The charges sent a strong message to the CISO community, suggesting that they can now be held criminally or civilly liable for misrepresenting their organization’s cybersecurity posture. The indictment may set the stage for additional criminal charges and civil lawsuits against CISOs at organizations that have experienced significant breaches.
All told, Brown’s indictment highlights the heightened stress and very personal risk CISOs and CSOs now face in their role. Executives who get brought up on federal charges can anticipate a long, stressful, and expensive road, as their case may take several years to wind its way through the legal system.
While the outcome of the SolarWinds trial remains to be seen, there are still many valuable lessons CISOs can draw from what we know so far. Charles Blauner, the former CISO of JP Morgan, Deutsche Bank, and Global Head of Information Security at Citi; ExtraHop CEO Greg Clark; and ExtraHop Chief Information Security and Risk Officer Mark Bowling offer their advice.
Document Your Organization’s Cyber Risk Governance Policies
Blauner, who currently serves as president of Cyber Aegis and CISO-in-Residence for venture capital firm Team8, says it’s now critical for CISOs to document their organization’s processes for identifying cyber risks, quantifying their business impact, and determining which ones to accept. Additionally, organizations must also document their governance process for incident response and notifying regulators of incidents. This documentation needs to be crystal clear about how the organization’s cyber risk identification and evaluation processes works and who the accountable business leaders are—in other words, who is and isn’t responsible for identifying security risks and for approving risk acceptances—since in many organizations the CISO is often responsible for identifying cyber risks but lacks the authority to make risk acceptance decisions (typically the purview of the CEO or equivalent business leadership).
If you don’t have a documented cyber risk governance process, adds Blauner, then answers to questions about who can make risk management decisions or regulatory notifications become hit or miss, and the entire process may come across to a jury or to regulators as accidental, rather than rigorous or disciplined.
Demand Visibility Into and Approval Over Cyber-Related Regulatory Filings and Statements
The Securities and Exchange Commission (SEC) issued new requirements for filings that officially took effect in December 2023, including a requirement “to disclose material cybersecurity incidents” that SEC registrants experience and “to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.”
The challenge many CISOs at publicly traded companies now face in the aftermath of the SolarWinds indictment is that they can be held criminally liable for perceived misstatements or perceived misrepresentations in filings that they may not have had any involvement in drafting, according to Blauner. The lesson, then, is for CISOs to make sure that they are part of the process of drafting both cyber-related regulatory disclosures and public comments on cyber made by the CEO or other officers of the company. Speak with your CFO and general counsel about getting involved since the SEC will come after you for fraud or negligence, regardless of whether you’re an official officer of the company, adds Blauner.
Demand Directors and Officers Insurance
Defending yourself against an indictment could easily cost multiple millions of dollars, even if you aren’t found guilty. So if you’re not already covered by your organization’s Directors and Officers (D&O) insurance, it’s time to have that conversation with your management and HR. Otherwise, you’ll have to cover the cost of any potential legal fees on your own.
If you are covered by D&O insurance, find out whether your organization’s policy allows you to retain your own independent counsel. This can be an important failsafe if you find yourself in the unfortunate situation where the lawyers hired by your organization don't have your best interests in mind.
ExtraHop Chief Information Security and Risk Officer Mark Bowling recommends considering personal liability insurance beyond your D&O coverage. He notes that there may be limits to what your organization’s policy will cover, and personal liability insurance can help limit how much of the surplus comes out of your pocket.
“If you send only one email today, send it to your CFO and your boss about D&O insurance and getting involved in regulatory disclosures,” says Clark. “The email can be very pro-company, pro-improvement. Let them know you’re interested in having a conversation about how the company can extend its enterprise risk management program to cover new cyber topics mandated by the SEC, and secondly, if the company’s auditors can make suggestions on how to cover off on these new risks. And finally, given these new risks, you’d like to have a conversation about amendments to your employment agreement so you can gain D&O coverage that allows you to retain your own independent counsel.”
Know Your Constitutional Rights
If you find yourself in the unfortunate position of facing a criminal indictment, Bowling, a former federal law enforcement officer, says it’s critical to remember your 5th Amendment rights, particularly your right not to be compelled to be a witness against yourself. The 5th Amendment provides protections against self-incrimination, or providing statements that can be used to prosecute a person. However, regulatory bodies such as the SEC and the FTC can compel statements from employees of companies under their purview, notes Bowling. If regulatory investigators start acting like there is any chance they may file criminal charges, then CISOs need to be prepared to exercise their rights to legal counsel and to refuse to answer questions, he adds. If regulators bring in an organization such as the FBI, and a CISO finds themself in an investigative interview with multiple agents, that CISO should immediately decline to answer questions and seek legal counsel, according to Bowling.
“The SolarWinds’ indictment has really changed the operating environment for CISOs, and we need to take stock of our personal risk, just as we do for our organizations’ cyber risk,” says Blauner. “Documenting our organizations’ cyber risk governance processes, getting involved in regulatory disclosures, ensuring we have D&O coverage, and working with our organization’s external auditors can go a long way toward mitigating the new risks CISOs face.”
How are cyber risk management and governance processes changing inside your organization in response to the SolarWinds indictment? Join the conversation on the ExtraHop Customer Community.